Export limit exceeded: 337982 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337982 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69246 | 1 Raytha | 1 Raytha | 2026-03-30 | 9.8 Critical |
| Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6. | ||||
| CVE-2026-2578 | 1 Mattermost | 2 Mattermost Server, Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579 | ||||
| CVE-2026-2462 | 1 Mattermost | 2 Mattermost Server, Server | 2026-03-30 | 6.6 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528 | ||||
| CVE-2026-4237 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-03-30 | 7.3 High |
| A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | ||||
| CVE-2026-24458 | 1 Mattermost | 1 Mattermost Server | 2026-03-30 | 7.5 High |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587 | ||||
| CVE-2026-25783 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586 | ||||
| CVE-2026-4265 | 1 Mattermost | 3 Mattermost, Mattermost Server, Server | 2026-03-30 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553 | ||||
| CVE-2026-4238 | 1 Itsourcecode | 1 College Management System | 2026-03-30 | 4.7 Medium |
| A vulnerability has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/courses.php. The manipulation of the argument course_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-4909 | 1 Code-projects | 1 Exam Form Submission | 2026-03-30 | 2.4 Low |
| A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-3098 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-03-30 | 6.5 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-14028 | 1 Softing | 2 Smartlink Hw-dp, Smartlink Hw-pn | 2026-03-30 | 6.5 Medium |
| Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. This issue affects: smartLink HW-DP: through 1.31 smartLink HW-PN: before 1.02. | ||||
| CVE-2026-3457 | 1 Thales | 1 Sentinel Ldk Runtime | 2026-03-30 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Thales Sentinel LDK Runtime on Windows allows Stored XSS.This issue affects Sentinel LDK Runtime: before 10.22. | ||||
| CVE-2026-4309 | 1 Nec | 20 Aterm W1200ex(-ms), Aterm Wf1200cr, Aterm Wg1200cr and 17 more | 2026-03-30 | N/A |
| Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network. | ||||
| CVE-2026-4621 | 1 Nec | 21 Aterm W1200ex(-ms), Aterm Wf1200cr, Aterm Wg1200cr and 18 more | 2026-03-30 | N/A |
| Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to enable telnet via network. | ||||
| CVE-2026-25101 | 1 Bludit | 1 Bludit | 2026-03-30 | N/A |
| Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2. | ||||
| CVE-2026-25100 | 1 Bludit | 1 Bludit | 2026-03-30 | N/A |
| Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable. | ||||
| CVE-2026-25099 | 1 Bludit | 1 Bludit | 2026-03-30 | N/A |
| Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4. | ||||
| CVE-2026-4982 | 1 Pretix | 1 Venueless | 2026-03-30 | N/A |
| A user with permission "update world" in any Venueless world is able to exfiltrate chat messages from direct messages or channels in other worlds on the same server due to a bug in the reporting feature. The exploitability is limited by the fact that the attacker needs to know the internal channel UUID of the chat channel, which is unlikely to be obtained by an outside attacker, especially for direct messages. | ||||
| CVE-2026-32859 | 1 Bytedance Inc. | 1 Deerflow | 2026-03-30 | 5.4 Medium |
| ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution. | ||||
| CVE-2026-33284 | 1 Globaleaks | 1 Globaleaks-whistleblowing-software | 2026-03-30 | N/A |
| GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue. | ||||